Antecedent factors of violation of information security rules

Authors

  • Alexandre Cappellozza Universidade Presbiteriana Mackenzie, Centro de Ciências Sociais e Aplicadas
  • Gustavo Hermínio Salati Marcondes de Moraes Universidade Estadual de Campinas, Faculdade de Ciências Aplicadas
  • Gilberto Perez Universidade Presbiteriana Mackenzie, Centro de Ciências Sociais e Aplicadas
  • Alessandra Lourenço Simões Universidade Metodista de São Paulo

DOI:

https://doi.org/10.1108/RAUSP-02-2021-0022

Keywords:

Security, Technology, Violation of information security, Moral disengagement, Information, Structural equation modeling, Neural networks

Abstract

Purpose – This paper aims to investigate the influence of moral disengagement, perceived penalty, negative experiences and turnover intention on the intention to violate the established security rules.

Design/methodology/approach – The method used involves two stages of analysis, using techniques of structural equation modeling and artificial intelligence with neural networks, based on information collected from 318 workers of organizational information systems.

Findings – The model provides a reasonable prediction regarding the intention to violate information security policies (ISP). The results revealed that the relationships of moral disengagement and perceived penalty significantly influence such an intention.

Research limitations/implications – This research presents a multi-analytical approach that expands the robustness of the results by the complementarity of each analysis technique. In addition, it offers scientific evidence of the factors that reinforce the cognitive processes that involve workers’ decision-making in security breaches.

Practical implications – The practical recommendation is to improve organizational communication to mitigate information security vulnerabilities in several ways, namely, training actions that simulate daily work routines; exposing the consequences of policy violations; disseminating internal newsletters with examples of inappropriate behavior.

Social implications – Results indicate that information security does not depend on the employees’ commitment to the organization; system vulnerabilities can be explored even by employees committed to the companies.

Originality/value – The study expands the knowledge about the individual factors that make information security in companies vulnerable, one of the few in the literature which aims to offer an in-depth perspective on which individual antecedent factors affect the violation of ISP.

 

Downloads

Download data is not yet available.

References

Ali, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information security behavior and information security policy compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Applied Sciences, 11(8), 3383. doi:

https://doi.org/10.3390/app11083383.

Bandura, A., Barbaranelli, C., Caprara, G. V., & Pastorelli, C. (1996). Mechanisms of moral disengagement in the exercise of moral agency. Journal of Personality and Social Psychology, 71(2), 364–374. doi: https://doi.org/10.1037/0022-3514.71.2.364.

Bansal, G., Zahedi, F., & Gefen, D. (2010). The impact of personal dispositions on information sensitivity, privacy concern and trust in disclosing health information online. Decision Support Systems, 49(2), 138–150. doi: https://doi.org/10.1016/j.dss.2010.01.010.

Barsky, A. (2011). Investigating the effects of moral disengagement and participation on unethical work behavior. Journal of Business Ethics, 104(1), 59–75. doi: https://doi.org/10.1007/s10551-011-0889-7.

Cohen, J. (1988). Statistical power analysis, 2nd ed., Hillsdale, NJ: Erlbaum.

Coetzee, M. and van Dyk, J. (2018). Workplace bullying and turnover intention: exploring work engagement as a potential mediator. Psychological Reports, 121(2), 375–392. doi: https://doi.org/10.1177/0033294117725073.

Culnan, M. J., & Armstrong, P. K. (1999). Information privacy concerns, procedure fairness, and impersonal trust: An empirical investigation. Organization Science, 10(1), 104–115. doi: https://doi.org/10.1287/orsc.10.1.104.

D’Arcy, J., & Lowry, P. B. (2019). Cognitive-affective drivers of employees’ daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 29(1), 43–69. doi: https://doi.org/10.1111/isj.12173.

D’Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285–318. doi: https://doi.org/10.2753/MIS0742-1222310210.

Dhillon, G., Talib, Y. Y. A.,&Picoto, W. N. (2020). The mediating role of psychological empowerment in information security compliance intentions. Journal of the Association for Information Systems, 21(1), 152–174. doi: https://doi.org/10.17705/1jais.00595.

Fajardo, J. (2016). Optimal insider strategy with law penalties. Revista Brasileira de Economia, 70(1), 31–40. doi: https://doi.org/10.5935/0034-7140.20160002.

Faul, F., Erdfelder, E., Buchner, A., & Lang, A. G. (2009). Statistical power analyses using G*power 3.1: Tests for correlation and regression analyses. Behavior Research Methods, 41(4), 41 doi: https://doi.org/10.3758/BRM.41.4.1149.

Fida, R., Tramontano, C., Paciello, M., Ghezzi, V., & Barbaranelli, C. (2018). Understanding the interplay among regulatory self-efficacy, moral disengagement, and academic cheating behaviour during vocational education: A three-wave study. Journal of Business Ethics, 153(3), 725–740. doi:

https://doi.org/10.1007/s10551-016-3373-6.

Fornell, C., & Larcker, D. F. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(3). doi: https://doi.org/10.2307/3151312.

Guo, K. H., & Yuan, Y. (2012). The effects of multilevel sanctions on information security violations: A mediating model. Information & Management, 49(6), 320–326. doi: https://doi.org/10.1016/j.im.2012.08.001.

Hair, J. F., Hult, G. T. M., Ringle, C. M.,& Sarstedt, M. (2017). A primer on partial least squares structural equation modeling (PLS-SEM), 2nd ed., Thousand Oaks, CA: SAGE Publications.

Hair, J. F., Risher, J. J., Sarstedt, M., & Ringle, C. M. (2019). When to use and how to report the results of PLS-SEM. European Business Review, 31(1), 2–24. doi: https://doi.org/10.1108/EBR-11-2018-0203.

Haque, A., Fernando, M., & Caputi, P. (2019). The relationship between responsible leadership and organisational commitment and the mediating effect of employee turnover intentions: an empirical study with Australian employees. Journal of Business Ethics, 156(3), 759–774. doi:

https://doi.org/10.1007/s10551-017-3575-6.

Hargittai, E., & Marwick, A. (2016). ‘What can I really do?’ explaining the privacy paradox with online apathy. International Journal of Communication, 10(20), 3737–3757.

Haykin, S. (1998). Neural networks: a comprehensive foundation (2nd ed.), New York, NY: Macmillan College Publishing.

Hew, J. J., Leong, L. Y., Tan, G. W. H., Ooi, K. B.,& Lee, V. H. (2019). The age of mobile social commerce: An artificial neural network analysis on its resistances. Technological Forecasting and Social Change, 144, 311–324. doi: https://doi.org/10.1016/j.techfore.2017.10.007.

Hong, W., Chan, F. K. Y., & Thong, J. Y. L. (2021). Drivers and inhibitors of internet privacy concern: A multidimensional development theory perspective. Journal of Business Ethics, 168(3), 539–564. doi: https://doi.org/10.1007/s10551-019-04237-1.

ISO/IEC 27002:2013 (2013). Information technology – security techniques – code of practice for information security controls.

International Organization for Standardization (2013). Information technology – security techniques – code of practice for information security controls. Retrieved from www.iso.org/standard/54533. html (accessed 25 November 2020).

Katz, D.,&Kahn, R. L. (1978). The Social Psychology of Organizations, New York, NY: Wiley.

Kauspadiene, L., Ramanauskaite, S., & Cenys, A. (2019). Information security management framework suitability estimation for small and medium enterprise. Technological and Economic Development of Economy, 1–19, doi: https://doi.org/10.3846/tede.2019.10298.

Khan, S., Dapeng, L., Adnan Muhammad, S., & Ullah, R. (2018). The buffering role of ethical leadership in moral disengagement: Anticompetitive behavioral tendency link. Proceedings of the European Conference on Management, Leadership & Governance, pp. 345-351.

Kish-Gephart, J., Detert, J., Treviño, L., Baker, V., & Martin, S. (2014). Situational moral disengagement: Can the effects of Self-Interest be mitigated? Journal of Business Ethics, 125(2), 267–285. doi: https://doi.org/10.1007/s10551-013-1909-6.

Lee, V.-H., Hew, J.-J., Leong, L.-Y., Tan, G. W.-H., & Ooi, K.-B. (2020). Wearable payment: A deep learning-based dual-stage SEM-ANN analysis. Expert Systems with Applications, 157, 1–15. doi: https://doi.org/10.1016/j.eswa.2020.113477.

Leong, L.-Y., Hew, T.-S., Wei-Han, T. G., & Ooi, K.-B. (2013). Predicting the determinants of the NFC-enabled mobile credit card acceptance: A neural networks approach. Expert Systems with Applications, 40(14), 5604–5620. doi: https://doi.org/10.1016/j.eswa.2013.04.018.

Leong, L.-Y., Hew, T., Lee, V.-H., & Ooi, K. (2015). An SEM-artificial-neural-network analysis of the relationships between SERVPERF, customer satisfaction and loyalty among low-cost and full-service airline. Expert Systems with Applications, 42(19), 6620–6634. doi: https://doi.org/10.1016/j.eswa.2015.04.043.

Levav, J., Heitmann, M., Herrmann, A., & Iyengar, S. S. (2010). Order in product customization decisions: Evidence from field experiments. Journal of Political Economy, 118(2), 274–299. doi: https://doi.org/10.1086/652463.

Liébana-Cabanillas, F., Marinkovíc, V., & Kalini´c, Z. (2017). A SEM-neural network approach for predicting antecedents of m-commerce acceptance. International Journal of Information Management, 37(2), 14–24. doi: https://doi.org/10.1016/j.ijinfomgt.2016.10.008.

Maliki, O. S., Agbo, A. O., Maliki, A. O., Ibeh, L. M., & Agwu, C. O. (2011). Comparison of regression model and artificial neural network model for the prediction of electrical power generated in Nigeria. Advances in Applied Science Research, 2(5), 329–339.

Manzoor, M. T., Manzoor, T., & Khan, M. (2020). Workplace incivility: A cynicism booster leading to turnover intentions. DECISION, 47(1), 91–99. doi: https://doi.org/10.1007/s40622-020-00238-6.

Martin, K. D., Borah, A., & Palmatier, R. W. (2017). Data privacy: Effects on customer and firm performance. Journal of Marketing, 81(1), 36–58. doi: https://doi.org/10.1509/jm.15.0497.

McCandless, D. Evans, T. Barton, P. Starling, S., & Geere, D. (2020). World¨s biggest data breaches & hacks. Retrieved from www.informationisbeautiful.net/visualizations/worlds-biggest-databreaches-hacks/ (accessed 23 July 2020).

Mölders, S., Brosi, P., Spörrle, M., & Welpe, I. M. (2019). The effect of top management trustworthiness on turnover intentions via negative emotions: The moderating role of gender. Journal of Business Ethics, 156(4), 957–969. doi: https://doi.org/10.1007/s10551-017-3600-9.

Moore, C., Detert, J. R., Trevino, L. K., Baker, V. I., & Mayer, D. M. (2012). Why employees do bad things: Moral disengagement and unethical organizational behavior. Personnel Psychology, 65(1), 1–48. doi: https://doi.org/10.1111/j.1744-6570.2011.01237.x.

Morgan, S. (2019). Official annual cybercrime report. Retrieved from www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf (accessed 5 July 2020).

Mowday, R. T., Porter, L. W., & Steers, R. M. (1982). Employee-organization linkages: The psychology of commitment, absenteeism, and turnover, New York, NY: Academic Press.

Murphy, P., & Dacin, M. (2011). Psychological pathways to fraud: Understanding and preventing fraud in organizations. Journal of Business Ethics, 101(4), 601–618. doi: https://doi.org/10.1007/s10551-011-0741-0.

Ohunakin, F., Adeniji, A., Oludayo, O.,&Osibanjo, O. (2018). Perception of frontline employees towards career growth opportunities: Implications on turnover intention. Business: Theory and Practice, 19(0), 278–287. doi: https://doi.org/10.3846/btp.2018.28.

Ooi, K. B., Hew, J. J., & Lin, B. (2018). Unfolding the privacy paradox among mobile social commerce users: A multi-mediation approach. Behaviour & Information Technology, 37(6), 575–595. doi: https://doi.org/10.1080/0144929X.2018.1465997.

Pahnila, S., Siponem, M., & Mahmood, A. (2007). Which factors explain employees’ adherence to information security policies? An empirical study. Paper presented at the PACIS Proceedings.

Podsakoff, P. M., MacKenzie, S. B., Lee, J.-Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879–903. doi: https://doi.org/10.1037/0021-9010.88.5.879.

Rafiq, M., Wu, W., Chin, T., & Nasir, M. (2019). The psychological mechanism linking employee work engagement and turnover intention: A moderated mediation study. Work, 62(4), 615–628. doi: https://doi.org/10.3233/WOR-192894.

Ramos, F. L., Ferreira, J. B., de Freitas, A. S., & Rodrigues, J. W. (2018). The effect of trust in the intention to use m-banking. Brazilian Business Review, 15(2), 175–191. doi: https://doi.org/10.15728/bbr.2018.15.2.5.

Ripley, B. D. (1996). Pattern recognition and neural networks, Cambridge: Cambridge University Press.

Santiago, A. B. B., Diño, M. J., & Caballero, M. E. (2017). Plagiarism in advanced educational research: Reasons, extent, perceived penalty and severity. International Journal of Business and Social Science, 8(4), 121–124.

Santos, J. G., Cappellozza, A., & Albertin, A. L. (2018). Antecedents of perceived benefits of compliance towards organizational data protection policies. IEEE Latin America Transactions, 16(3), 891–896. doi: https://doi.org/10.1109/TLA.2018.8358670.

Sen, R. and Borle, S. (2015). Estimating the contextual risk of data breach: an empirical approach. Journal of Management Information Systems, 32(2), 314–341. doi: https://doi.org/10.1080/07421222.2015.1063315.

Sen, R., Verma, A., & Heim, G. R. (2020). Impact of cyberattacks by malicious hackers on the competition in software markets. Journal of Management Information Systems, 37(1), 191–216. doi: https://doi.org/10.1080/07421222.2019.1705511.

Silva, R. S., & Cappellozza, A. (2014). O impacto do suporte organizacional e do comprometimento afetivo sobre a rotatividade. Revista de Administração IMED, 4(3), 314–329. doi: https://doi.org/10.18256/2237-7956/raimed.v4n3p314-329.

Siqueira, M. M. M., Gomide, S. Jr., Oliveira, A. F., & Polizzi Filho, A. (2014). Intenção de rotatividade. In M. M. M. Siqueira (Ed.), Novas medidas do comportamento organizacional: ferramentas de diagnóstico e de gestão, Porto Alegre: Artmed.

Smith, H., Milberg, S., & Burke, S. (1996). Information privacy: Measuring individuals’ concerns about organizational practices. MIS Quarterly, 20(2), 167–196. doi: https://doi.org/10.2307/249477.

Soltis, S. M., Agneessens, F., Sasovova, Z., & Labianca, G. (2013). A social network perspective on turnover intentions: The role of distributive justice and social support. Human Resource Management, 52(4), 561–584. doi: https://doi.org/10.1002/hrm.21542.

Sternad Zabukovšek, S., Kalinic, Z., Bobek, S., & Tominc, P. (2019). SEM–ANN based research of factors’ impact on extended use of ERP systems. Central European Journal of Operations Research, 27(3), 703–735. doi: https://doi.org/10.1007/s10100-018-0592-1.

Straub, D. W. (1990). Effective is security: An empirical study. Information Systems Research, 1(3), 255–276. doi: https://doi.org/10.1287/isre.1.3.255.

Tinwala, R., & Biswas, U. N. (2020). Perceived sustainability practices, turnover intentions, and organizational identification in hotel industries. Management: Journal of Sustainable Business & Management Solutions in Emerging Economies, 25(1), 1–11, doi: https://doi.org/10.7595/

management.fon.2019.0009.

Valle, M., Kacmar, K. M., & Zivnuska, S. (2019). Understanding the effects of political environments on unethical behavior in organizations. Journal of Business Ethics, 156(1), 173–188. doi: https://doi.org/10.1007/s10551-017-3576-5.

Xu, Y., Zhang, W., Bao, H., Zhang, S., & Xiang, Y. (2019). A SEM–neural network approach to predict customers’ intention to purchase battery electric vehicles in china’s Zhejiang province. Sustainability, 11(11). doi: https://doi.org/10.3390/su11113164.

Yoo, C. W., Goo, J., & Rao, H. R. (2020). Is cybersecurity a team sport? A multilevel examination of workgroup information security effectiveness. MIS Quarterly, 44(2), 907–931. doi: https://doi.org/10.25300/MISQ/2020/15477.

Xu, H., Teo, H. H., Tan, B. C. Y., & Agarwal, R. (2012). Effects of individual self-protection, industry self-regulation, and government regulation on privacy concerns: A study of location-based services. Information Systems Research, 23(4), 1342–1363. doi: https://doi.org/10.1287/isre.1120.0416.

Zheng, X., Qin, X., Liu, X., & Liao, H. (2019). Will creative employees always make trouble? Investigating the roles of moral identity and moral disengagement. Journal of Business Ethics, 157(3), 653–672. doi: https://doi.org/10.1007/s10551-017-3683-3.

Downloads

Published

2022-03-14

Issue

Section

Research Paper